Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Minor HTML character issue on text field with HTML formatting
-
When I enter into a text field with HTML formatting, the HTML code for the copyright symbol (i.e either © or ©), the field outputs the actual symbol as opposed to the HTML code. This causes issues in Firefox where a question mark in a black diamond is displayed.
-
Same issue here - when & copy ; without spaces is added to a text field with HTML formatted, it gets mangled by $value = html_entity_decode($value); in get_value_for_api in text.php
-
If it's set to no formatting it displays literally as & copy ; [without spaces]. The normal use case for something like this is editable footer text - copyright, perhaps a link or two, etc, so it needs to work with the HTML option.
Have just noticed that when I reload the options page that I'm saving this in, it has been converted to a copyright symbol inside the textarea too, rather than staying as the exact code I entered. Looks like some encoding/decoding bug. -
I'm having the same issue with & nbsp ; - HTML formatting displays as a question mark diamond in Firefox because it's converting it beforehand, and no formatting converts the ampersand, so it literally says the nbsp text, rather than having a space.
-
Hey guys, maybe I've accidentally fixed this in the new version (still working on it), but I can successfully save these html entities in a text field.
The update should be out today or tomorrow. Hopefully this fixes the issue for you.
If not, I think it's a database charset issue or something similar.
Cheers -
Nope, still seems to be happening. Have looked through the source again - there's actually two separate issues.
Firstly, anything displayed in a textarea in the backend isn't being escaped. So if you enter ©, and save, you see the actual copyright icon in the textarea, because the source code just has © rather than &copy;. More importantly, if you enter something like </textarea>hello, the HTML breaks. Anything displayed in a textarea needs to be run through esc_textarea or something equivalent.
Secondly, back to the © issue - if you enter that, then save, the database field contains © correctly. However, the output on the front end gets run through html_entity_decode($value). If you run the php statement html_entity_decode('©'), it outputs the non-UTF8 character for a copyright directly in the source - so it would display if you're not using the standard UTF-8 character set. It should just print out © directly - html_entity_decode should only really be run on something that has already been processed with htmlentities, not the raw input. -
Still a bug in 3.3.7.
-
Hi Elliot,
Due to the lack of response I think you must have misunderstood the importance of what I said above. This is no longer a minor issue - the lack of escaping in a textarea is a major security issue that must be fixed immediately.
Try creating a textarea custom field, and filling the following into it:</textarea><script>document.location='http://www.google.com';</script>
You'll now be locked out of that page entirely, unless you disable javascript or edit the database directly. Allowing things like this (and this is a basic example) to be injected into the admin page by anyone who can access custom fields is a serious problem.
Line 40 of textarea.php needs to become:echo '<textarea id="' . $field['name'] . '" rows="4" class="' . $field['class'] . '" name="' . $field['name'] . '" >' . esc_textarea($field['value']) . '</textarea>';
As for the other issue - there is no logical reason to use html_entity_decode when grabbing the value for inputs and textareas; this is simply a mistake and should be removed. It does not do anything in terms of necessary escaping; all it does it convert some correct characters to incorrect ones. It can be safely removed without affecting anyone's site negatively.
-
Hi TripleM,
Thanks for the follow up.
Yep, I'll try this out and improve the escaping. Should I swap html_entity_decode for esc_textarea? -
No, esc_textarea is just for when the content is displaying inside a textarea somewhere and ensures what you enter gets saved exactly as typed. If you're using a field with the HTML formatting chosen and want it to display on the frontend, you want it to display exactly as entered - no escaping should be necessary at that stage.
-
These are both still broken, and both 2 minute fixes. When will you be looking at these? (I'm surprised you're treating bug fixes and feature updates with a higher priority than security holes - the latter is always far more important).
-
Hi @TripleM
I would love to get your help on this. You seem to know exactly what to do.
Can you post the code fixes necessary for better textarea / content escaping?
Thanks -
Keep in mind that the value saved to the db needs to be "changed" by the formatting options!
-
I already have.
http://support.advancedcustomfields.com/discussion/comment/7496#Comment_7496 contains the code for the textarea / security hole fix.
http://support.advancedcustomfields.com/discussion/comment/5147#Comment_5147 says all you need to do for the other bug is remove the html_entity_decode function. That's in both textarea.php and text.php, get_field_for_api functions, when format is 'html'.
-
Thanks @TripleM
-
Great work @TripleM
I've made both your changes to the next version!
Thanks for your patience and support.
Cheers
Elliot
